Configure Watermark Investigation

To configure watermark investigation:

Ensure that the watermarking investigation tool has access to the data proxy.
Ensure that the data plane has connectivity to HashiCorp vault.

Download or create a properties .json file.

You can download an example properties file at this location:

https://docs.privitar.com/provisioning/resources/WatermarkInvProperties.json

Alternatively, you can create your own file using this code:

{
  "controlPlaneTarget": "dpp0000water.company-name.cloud:443",
  "exchangeId": "0651b9ca-eae4-4e36-b92b-04e9e459c33b",
  "dataPlaneId":  "376a5c9c-dc50-4c42-9c0d-5bc841803d1f",
  "username":  "testuser@acme.com",
  "controlPlaneChannelUsePlaintext": false,
  "controlPlaneChannelTrustedCertificatePath": "controlplane.crt",
  "controlPlaneChannelTlsProtocols":  ["TLSv1.2"],
  "jwtSigningKeyPath": "./jwt-signing-key.pem",
  "jwtSigningKeyPassword":  null,
  "jwtSigningAlgorithm": "RS256",
  "kmsProperties": {
    "properties":  {"authenticationToken": "hvs.kuzTOe7a6OTDLTZtCtBoRa5P", "url": "http://10.0.0.59:8200", "path": "secret"},
    "extraPropertiesFilePath": null,
    "adapterJarPath":  "./HashiCorpVaultKeyReader_deploy.jar",
    "sharedClassesRegex": "(org.slf4j.*)|(com.fasterxml.jackson.*)"
  },
  "csvProperties": {
    "filePath": "./watermark2__clients__20230602.csv",
    "fileContainsHeaders": true,
    "recordSeparator": "\r\n"
  }
}

For easier execution, copy the following files to the same directory of your choosing:
- the dataset .csv file that you want to investigate
- the properties .json file that you created (see the previous step)
- the private key .pem file that you generated as part of platform installationCreate a PKI Infrastructure
- watermarking investigation tool .jar file (in the data plane installer at /jars/dsp_watermarking_investigation_unshaded_deploy.jar)
- the KMS adapter .jar file (in the data plane installer at /jars/HashiCorpVaultKeyReader_deploy.jar)
- the control plane .crt certificate (Run the following command in the control plane namespace:)
```
kubectl get secret dpp-control-plane-tls-ingress-cert -o jsonpath='{.data.tls\.crt}' | base64 -D)
```

Edit the control plane section of the properties file to indicate the properties as follows:

{
  "controlPlaneTarget": "dpp0000water.company-name.cloud:443",
  "exchangeId": "0651b9ca-eae4-4e36-b92b-04e9e459c33b",
  "dataPlaneId":  "376a5c9c-dc50-4c42-9c0d-5bc841803d1f",
  "username":  "testuser@acme.com",
  "controlPlaneChannelUsePlaintext": false,
  "controlPlaneChannelTrustedCertificatePath": "controlplane.crt",
  "controlPlaneChannelTlsProtocols":  ["TLSv1.2"],
  "jwtSigningKeyPath": "./jwt-signing-key.pem",
  "jwtSigningKeyPassword":  null,
  "jwtSigningAlgorithm": "RS256",

To find the values for controlPlaneTarget, exchangeId, and dataPlaneId, download the data proxy configuration file as follows:

Log in to the user interface of the platform.
Click Data Exchanges in the left navigation.
Click Open Data Exchange.
Click the avatar symbol in the top right corner of the page and select Manage Exchange.
Click the Data Planes tab.
Click the arrow to the right of the associated data plane.
Click the Data Proxy tab.
Under Deployment Instructions, click Download.
The data proxy configuration file downloads.
Open this JSON file.
This file includes the dataPlaneId, the exchangeId, and the controlPlaneUrl.
Follow the instructions in the Watermarking Control Plane Properties table.

Table 53. Watermarking Control Plane Properties

Property	Description	Required?	Example	Default
`controlPlaneTarget`	Indicates the URL of the control plane. Based on the data proxy configuration file, this is the `controlPlaneUrl` without the `https://` at the beginning and the port number of `443` added to the end.	Yes	Example data proxy configuration file `controlPlaneUrl`: `https://dsp0000water.privitar.cloud` Equivalent entry for the `controlPlaneTarget` property: `dsp0000water.privitar.cloud:443`	N/A
`exchangeId`	Indicates the identifier for the associate data exchange. This is the exact same value as `exchangeId` in the data proxy configuration file.	Yes	`0651b9ca-eae4-4e36-b92b-04e9e459c33b`	N/A
`dataPlaneId`	Indicates the identifier for the associated data plane. This is the exact same value as `dataPlaneId` in the data proxy configuration file.	Yes	`376a5c9c-dc50-4c42-9c0d-5bc841803d1f`	N/A
`username`	Indicates the username on the platform for the user who will perform the watermark investigation. This can be any existing user with any platform role, or you may create a new user in the platform for this purpose.	Yes		N/A
`controlPlaneChannelUsePlaintext`	Indicates whether to use plain text for communication between the control plane and the watermarking investigation tool. The default (`false`) indicates that TLS is used for communication. This is a property of the control plane trusted certificate. You can find this in the control plane Kubernetes log file.	Yes		`false`
`controlPlaneChannelTrustedCertificatePath`	This is the path to the certificate included in the installation bundle for the platform. See Install the Control Plane. Alternatively, you can fetch the path in Kubernetes, by running the following commands: kubectl get secrets -n istio-system kubectl get secret <control plane certificate name> -n istio-system -o jsonpath='{.data.tls\.crt}' \| base64 --decode > ./certificate.crt	Yes		N/A
`controlPlaneChannelTlsProtocols`	Indicates the supported TLS protocols to use for communication between the control plane and the watermarking investigation tool. The supported values are [TLSv1.2, TLSv1.3]. You can find this in the control plane Kubernetes log file for the data proxy.	Yes		`TLSv1.2`
`jwtSigningKeyPath`	This is the path to the private key. Important In order to run a watermarking investigation on a data plane, you must have a private/public key pair with the public key registered on the the data plane and the private key in your local folder. Add the public key on the Data Proxy tab of the Data Planes page in the platform UI. See Create and Edit a Data Plane. Each user only needs to perform this action once per data plane.	Yes		`./jwt-signing-key.pem`
`jwtSigningKeyPassword`	This is the password for the JWT signing key, if applicable.	Yes		null
`jwtSigningAlgorithm`	Indicates the type of secure hash algorithm (SHA) used to create the JWT signing key. Keep the default of `RS256` for RSASSA-PKCS1-v1_5 using SHA-256. Change to `ES256` for ECDSA using P-256 (aka secp256r1 or prime256v1) and SHA-256. These are the only two SHA types that the platform currently supports.	Yes		`RS256`

Edit the kmsProperties section (example below) of the properties file to indicate the properties in the table below.

"kmsProperties": {
    "properties":  {"authenticationToken": "hvs.kuzTOe7a6OTDLTZtCtBoRa5P", "url": "http://10.0.0.59:8200", "path": "secret"},
    "extraPropertiesFilePath": null,
    "adapterJarPath":  "./HashiCorpVaultKeyReader_deploy.jar",
    "sharedClassesRegex": "(org.slf4j.*)|(com.fasterxml.jackson.*)"
  },

Set kubernetesRole and kubernetesAuthPath to the same value in data-plane-values.yaml used when you installed the platform. See Install the Data Plane.

Table 54. KMS Properties

Property	Description	Required?	Example	Default
`authenticationToken`	This is the value of the authentication token.	Yes	`hvs.kuzTOe7a6OTDLTZtCtBoRa5P`
`url`	The URL to the HashiCorp Vault server, including the protocol.	Yes	http://vault:8200
`path`	The path in HashiCorp Vault used as the base path for all secrets to be read.	Yes	secret
`extraPropertiesFilePath`	If not null, then read the file at this path in Java properties file format and merge it with the Properties field.	No		null
`adapterJarPath`	If not null, then read the adapter .jar file from this path. If null, then the adapter .jar file must be on the JVM classpath.	Yes	`./HashiCorpVaultKeyReader_deploy.jar`
`sharedClassesRegex`	Loaded classes and resources that match this regex will be shared between the adapter (plugin) and the rest of the application. If null, will default to sharing SLF4J and Jackson classes.	Yes	`(org.slf4j.)\|(com.fasterxml.jackson.)`

Edit the csvProperties section of the properties file to indicate the following about the .csv file:

"csvProperties": {
    "filePath": "./watermark2__clients__20230602.csv",
    "fileContainsHeaders": true,
    "recordSeparator": "\r\n"
  }

Note

You only need to include optional properties that you are changing from the default. If you are using the default value, you can exclude that property from the properties file.

Table 55. Watermarking .csv Properties

Property	Description	Required?	Example	Default
`filePath`	Indicates the path to the .csv file that you want to investigate.	Yes	`./2022_12_31_retail_customers.csv`	N/A
`fileContainsHeaders`	Indicates whether the .csv file has a header row.	No	`false`	`true`
`delimiter`	Indicates the character used to mark the division between fields. Change this if your file uses a different delimiter character, such as a pipe (`\|`). Note that this cannot be a line break character.	No	`\|`	`,`
`quoteCharacter`	Change this if your file uses a different quote character, such as a single quote (`'`).	No	`'`	`"`
`escape`	Indicates the character used when there are delimiter or quote characters embedded in the data. To disable this setting, enter `null`. Note Be sure to use the escape character before entering your escape character.	No		`\\`
`recordSeparator`	Indicates the line feed. This varies by operating system. For Linux use the default (`\n`). For Windows, use `\r\n`.	No	`\r\n`.	`\n`
`charSet`	Indicates which character set encoding the file uses. Change this if your file uses a different character set, such as `ASCII`.	No	`ASCII`.	`UTF-8`

You are now ready to Investigate a Watermark.

In this section:

Installation and Administration Guide

Configure Watermark Investigation

Important

Note

Note

Search results